Google defends Google Apps security

Google Inc. this week came swinging at critics who have called on the city of Los Angeles to re-think its plan to implement the Google Apps hosted e-mail and office applications due to privacy and security concerns.

In an interview yesterday, Matt Glotzbach, director of product management for Google Enterprise, said the angst voiced by consumer groups and others about the Los Angeles project is overstated and based on incomplete information. In fact, he contended that transitioning the applications to Google will strengthen the security of the city's data, and better maintain its privacy.

"From what I know of the city's operation, this is a security upgrade," Glotzbach said. "Those who may be unfamiliar with cloud computing see this as a security risk simply because it is new and because it is something different," he said. Glotzbach said he believes that at least some of the concerns raised originated from Google's competitors.

Meanwhile top managers at the Los Angeles Information Technology Agency (ITA), which oversees technology implementation sin the city, yesterday said the city is still committed to implementing Google Apps. The agency insisted that provisions are in place for addressing the security and privacy issues raised by critics. A spokesman for Mayor Antonio Villaraigosa said the City Council will sign off on the project only after it is assured that the privacy and security concerns have been properly addressed.

The controversy centers on a plan by the City of Los Angelesto replace its Novell GroupWise e-mail and Microsoft Office applications with Google Apps. Under the $US7.25 million plan, the city will transition about 30,000 users to Google's e-mail and office productivity products by the end of December 2009.

City officials have said that they expect the move will save Los Angeles more than $US13 million in software license and manpower costs over the next five years. The plan is expected to be approved by city council members as early as next week and the implementation process is scheduled to begin soon thereafter. If approved, L.A. will become the second major city after L.A. to migrate its applications to Google's cloud infrastructure.

The migration would make Google, which hosts the servers running the applications, responsible for retaining and protecting sensitive health care and litigation data along with criminal and drug investigation records. Since the plan was proposed critics from various organizations, including the Los Angeles Police Department, the City Attorney's office and public interest groups have raised questions about the privacy and security implications of storing sensitive data in the cloud for access via the public Internet. The concerns received a fresh airing following the recent Twitter Inc. security breach caused by an attacker gaining access to a worker's e-mail on the Gmail system hosted by Google. Glotzbach yesterday contended that the concerns have been raised as part of an effort by some rivals and others to spread fear, uncertainty and doubt over the company's cloud computing service.

"There seems to be this sentiment that this was some secret, backroom kind of process," Glotzbach said. Instead, Google won the contract over 15 rival bidders largely because of the security and privacy controls in Google Apps, he added. In fact, as city officials reviewed the contract over the past eight months, Google engineers have been working with the city's technology team and police department representatives to understand and address security and privacy concerns, he said. Glotzbach claimed that Google Apps will offer better data protection than is current available for the city's applications for a number of reasons. For instance, having Google host and manage the applications means the city won't have to worry about installing new security patches, or expend the resources needed to implement them. Similarly, it's harder for hackers to launch attacks on hosted software because they won't know which server or data center is hosting the data, he said.

In addition, he said that all sensitive data will be encrypted while in transit and storage, and that the only way users can access Google Apps applications s by first authenticating themselves to the city's primary authentication server. Glotzbach rejected suggestions that the hosted Gmail e-mail application would weaken current security protections. For example, he said that current transmission rules, such a the poilice department's edict that prevents certain information to be included in e-mail messages, will not change. Randi Levin, the city's chief technology officer and ITA general manager, said that the project has received tentative approval from the California State Department of Justice after a review of city's plans for addressing security and privacy concerns. In addition, the ITA has met with the police department, the City Attorney's and Google to discuss enhanced encryption methods that will be used to protect highly sensitive data, she said. During the planning phase of the project, the ITA must demonstrate that its plan for security controls will work as promised, said Kevin Crawford, assistant general manager of the ITA. "To say or infer that we have not worked with the DoJ or have any concurrence from them on the plan, is not correct. We have worked extensively with the DoJ and they have approved the plan and now need to see it functioning as described in an operational manner to provide final approval," he said.

The final decision y the justice department will likely be a crucial factor in whether the police department agrees to use Google Apps.

Juan Bustamante, a spokesman for Mayor Villaraigosa's office said the contract right now is in the hands of the city's technology council. After review by the council it will be put up for approval by city council members. At that point, the project will move ahead as planned, he said.

Copyright 2017 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.